There is a new hack floating around targeting a security vulnerability in Wordpress versions up to 2.8.3 so unless you’ve upgraded Wordpress in the last few weeks I recommend you upgrade to the newest version pronto.
The hack seems to exploit a vulnerability in the way Wordpress handles it’s users and allows the first user’s password to be reset. The first user is generally an Admin.
Here’s some detail from Wordpress:
WordPress 2.8.4: Security Release
Posted August 12, 2009 by Matt. Filed under Releases, Security.Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
